Information security experts have noticed that Adobe Acrobat is trying to prevent antiviruses from studying PDF files opened by users, thereby creating a security risk. It is reported that Adobe Acrobat checks whether components of about 30 security products are interested in its processes, and then blocks them, effectively making it impossible to track malicious activity.
Minerva Labs analysts explain that security solutions usually require “visibility” of all processes in the system to work. Typically, this is achieved by injecting the DLL into software running on the user’s machine. Since March 2022, experts have observed a gradual increase in the activity of Adobe Acrobat Reader processes that try to find out which DLLs associated with security products are loaded (through obtaining a DLL handle).
According to the report, Adobe is currently looking for about 30 DLLs, including those related to Bitdefender, Avast, Trend Micro, Symantec, Malwarebytes, ESET, Kaspersky, F-Secure, Sophos, and Emsisoft antivirus.
Requests to the system are made using the Chromium Embedded Framework (CEF) libcef.dll library used by a wide range of programs. The researchers write that “libcef.dll is loaded by two Adobe processes: AcroCEF.exe and RdrCEF.exe”, that is, both products check the system for components of the same security solutions.
After examining what happens to DLLs injected into Adobe processes, Minerva Labs found that Adobe checks to see if the bBlockDllInjection value in the SOFTWARE\Adobe\Adobe Acrobat\DC\DLLInjection\ registry key is set to “1”. If the answer is yes, it prevents injection of antivirus software DLLs.
It is noted that, judging by the March posts on the Citrix forums, a user complained about the errors of Sophos AV, which did not work correctly due to Adobe products. The victim wrote that the company suggested that he “disable DLL injection for Acrobat and Reader.”
According to Bleeping Computer, Adobe representatives confirm that users are indeed complaining about “stability issues” that arise due to the fact that the DLL components of some security products are incompatible with the CEF library used by Adobe Acrobat. The company says it is currently working on the issue with security vendors.
In turn, Minerva Labs researchers argue that Adobe has chosen a method that solves compatibility problems, but creates a security risk and increases the risk of attacks, preventing antiviruses from properly protecting the system.